I don't know if this has been raised on this forum regarding IM content, but think it has for e-mail and VoIP.
Be sure you have full institutional policy, procedure and legal buy in for the recording of IM content.
Discussions I have had with our Missouri Attorney's General Office indicate It may be considered an improper wire tap, especially if you are not disclosing to users that their IM may be recorded & monitored. (e-mail, VoIP etc. other network traffic too)
Good policy , sign on banners and signed acceptable use documents protect you as much as they protect users. Make sure these documents contain detailed language that includes the conditions under which you may be recording traffic such as for diagnostic or archival purposes.
Mike
--------------------------------------------------------------
Michael C. Harris
System Security Analyst & Instructor
University Of Missouri Health Care
harrismc at health.missouri.edu KCØPAH
-----------------------------------------------------------------
>>Micheal Cottingham wrote:
>>>> I know this has been discussed before, but this is something I want to
>> revisit following an incident at my institution. Right now I'm looking
>> at IMLogic IM Manager and Akonix products. I want to record
>> conversations, map employee names to a central database, be able to
>> flag a screen name for further investigation, etc. We have an IPS on
>> our boundary, so I'm not as worried about IM worms.
>Gary Flynn:
>Our Juniper IPS has a feature called Profiler that inventories things like
>instant message screen names, HTTP user agents and versions, gnutella agents
> and versions, HTTP server versions, etc.
>>It does not collect content but the screen name to IP address mapping may come
>in handy in harassment or abuse cases.
>>We have written signatures for the IPS to block instant message traffic with
>known malicious links in buddy and away messages though they don't appear to
>catch all of them...probably due to a combination of the proliferation of
>protocol versions, some clients going to the trouble of enabling encryption,
>and my own ignorance of instant message protocols and applications.
--